SHUTTING OUT STRANGERS

The Radius protocol is typically used to authenticate users in dial-up scenarios. But Radius is also useful in LAN environments: in combination with 802.1X, Radius forces users to authenticate at a low level before the switch opens up a port.

Attacks from internal networks are dangerous and more difficult to prevent than external attacks. An attacker who plugs in to an internal network with a laptop gains wide-ranging access to network data. One way of preventing an attack is to implement an authentication function in OSI Layer 2 using the 802.1X [1] protocol. An 802.1X-capable switch and a Freeradius server are all you need to implement Layer 2 authentication. Because Layer 2 authentication operates at the level of the local, physical network, it prevents an intruder from even using the physical network without authentication. Radius (Remote Authentication Dial-in User Service Protocol) responses from a Linux server typically include the IP address and standard gateway for the user, but the protocol has more potential. You can use a Radius server to assign a VLAN to the user’s switch port. This technique avoids the need for a complex router infrastructure, but still restricts the size of the broadcast domain.

The virtualization breakthrough has not reduced the number and diversity of operating systems that admins must install and manage. Uranos server sets out to give administrators of complex operating system zoos more freedom.

Security experts are always concerned with WLAN access points, but they sometimes forget that the client is also open to attack. Public hotspots make it quite easy for attackers to hijack connections, as the Hotspotter tool demonstrates.

Eavesdropping on conversations on a LAN is easier than ever thanks to insecure VoIP installations. You don't need to bug restaurant booths or tap phone lines – standard Linux tools are all a hacker needs.